The Hacker News — Cyber Security, Hacking, Technology News

If you are one of the users of the BBC News iPhone app, then you might have receive a strange message as a breaking news notification earlier this morning.

The message was sent on two separate time durations. First the message reads: "NYPD Twitter campaign 'backfires' after hashtag hijacked," then strangely adds: "Push sucks! Pull blows!"

After a while it goes to: "BREAKING NEWS No nudity in latest episode of Game of Thrones!!! MORE BREAKING NEWS IIIIII like testing."

Beneath the message the text seems to get more serious as it adds: "This is a breaking news story and the BBC News app will bring you updates as soon as they are available."

From various media outlets, it was observed that the most popular BBC News smartphone app has been hijacked by the some attackers who compromised its “Breaking News” feature and sent bogus messages to the users of the BBC News iPhone app.

But BBC developers were actually testing some new push message features for their Apps and a test message was sent in error this morning by mistake.

BBC news has responded to this message and posted on their official Twitter account that this notification was by mistake “sent in error" to their app subscribers and that their account has not been hacked. "We apologise for previous two test push notifications which were sent in error to BBC News app subscribers.” BBC tweeted.

We have seen cybercriminals targeting PCs with Ransomware malware that encrypts your files or lock down your computer and ask for a ransom amount to be paid in a specified duration of time to unlock it.

To deliver the Ransomware malwares to the mobile devices, cyber criminals have already started creating malicious software programs for android devices. Last month, we reported about a new Police Ransomware malware that locks up the devices until the victims pay a ransom to get the keys to unlock the phone. But, the malware just lock the mobile screen and a loophole in the its implementation allowed users to recover their device and data stored on SDcard.

Now, in an effort to overcome this, threat actors have adopted encryption in the development of mobile Ransomware malwares. Recently, the security firm ESET has discovered a new Android ransomware, dubbed as Android/Simplocker.A, that has ability to encrypt the files on the device SD card and then demand a ransom from the victim in order to decrypt those files.

Once installed, the malware scans the SD card for certain file types such as image, document or video with extensions - jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypts them using AES in a separate thread in the background. After encrypting the files, the malware displays the following ransom message, written in Russian, which clearly means that this threat is targeting Russian Android users.

“WARNING your phone is locked!The device is locked for viewing and distributing child pornography , zoophilia and other perversions.To unlock you need to pay 260 UAH.1.) Locate the nearest payment kiosk.2.) Select MoneXy3.) Enter {REDACTED}.4.) Make deposit of 260 Hryvnia, and then press pay. Do not forget to take a receipt!After payment your device will be unlocked within 24 hours. In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!”

The Ransomware malware directs victim to pay the ransom amount i.e. 260 UAH, which is roughly equal to $21 US, through the MoneXy service, as this payment service is not easily traceable as the regular credit card.

To maintain anonymity the malware author is using the Command-and-Control server hosted on TOR .onion domain and the malware sends the information of the infected device such as IMEI number to its server. The researchers at ESET are still analysing the malware:

“Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn't come close to “the infamous Cryptolocker” on Windows.”

The researchers have found that the malware is capable to encrypt the victim’s files, which could be lost if the decryption key is not retrieved from the malware author by paying the ransom amount, but on the other hand the researchers strongly advise users against paying fine, as their is no guarantee that the hacker will provide you decryption keys even after paying the amount.

Unfortunately, mobile antivirus products are only capable to detect such known/detected threats only and can't detect similar the new threats. So, it is important for you to always keep the back-up of all your files either manually on the computer system or use cloud backup services like dropbox, google drive etc, in order to protect it from the emerging threats.

After introducing the Fingerprint scanner to its new release, Samsung next plans to add IRIS scanning technology to its future smartphones to better improve the security of smartphones and for being more innovative too.

According to a report released by The Wall Street Journal, Samsung senior Vice President Rhee In-jong told analysts and investors at a forum in Hong Kong that the company is planning to incorporate biometric sensors such as eye scanners into more of its products as a part of its enterprise security software.

“We're looking at various types of biometric mechanisms and one of things that everybody is looking at is iris detection,” Rhee said.

The move is no doubt in order to bring an added layer of security to its devices. A Smartphone with an eye-scanning feature would most likely to be used in the front-facing camera to scan the unique patterns of the user’s iris and once the pattern get matched with the already stored user’s iris image in the phone, the user will get an access to its device.

Rhee heads the company’s Knox security platform which is a mobile security software designed to make Samsung phones more secure in the workplace. He said that out of the 87 million devices that come embedded with Samsung Knox, only 1.8 million are actively using the Knox, including banks, healthcare and financial companies as well.

The figure is just a fraction of the actually distributed devices and the company is looking forward to increase its number of clients by focusing on the various new authentication methods for having a wider distribution. So, the technology will likely to integrate with the company's Knox security platform.

“We, as a market leader, are following the market trend,” he said, emphasizing his point on eye scanning feature will more likely to be available for adoption in high-end phones first.

Apple first brought the fingerprint scanning technology into its iPhone 5, and after seven months, Samsung added the same biometric security feature to its new release Android based Samsung Galaxy S5 Smartphones. But, this time Samsung is ready to give a tough competition to Apple by offering more advanced biometric features.

With the company’s already existing security features such as login passwords, PINs, and gestures, the IRIS scanner feature will definitely provide high security parameters to Samsung smartphones.

HACKING EYEBALLS TO BYPASS IRIS SCANNER

Biometric information can't be stolen in a phishing attack, for instance, because the unique information is physically attached to the each user. But, like hackers found a way to fool the Apple as well as Galaxy S5's fingerprint scanner using a fake fingerprint, the IRIS scanners can also be fooled.

In 2012, At the Black Hat conference in Las Vegas, a researcher demonstrated that how an attacker can create create the spoofed template of IRIS of a real person, that could be used to fool the scanners.

Do you think Samsung will be able to deliver a hack-proof eyes iris scanner system in its next Galaxy smartphone?

Google always bound to face trouble over the wide and open nature of its app checking policies on Google Play Store, and despite so many security measures, the search engine giant mostly fails to recognize the Android malware that are lurking around its Google Play store in vast numbers.

Recently, Google had offered users refund and additional credit of $5 for the bogus antivirus app 'Virus Sheild' that potentially defrauded more than 10,000 Android users who have downloaded the app from the Google play store. The step taken by Google is really appreciated, as the refunding cost Google around $269,000.

Now, it has been found that a number of malicious Android apps on the Google Play store secretly turn users’ android devices into small rigs contributing to a large-scale crypto currency mining operation.

CRYPTO MINER IN ANDROID APP

Security researchers from an anti-malware firm Lookout have identified various malware apps at Google Play Store, which they dubbed as ‘BadLepricon’ containing hidden crypto miner that stealthily exploit users’ android device to perform the cumbersome computational process without their knowledge.

BadLepricon malware was specially designed to be delivered via wallpaper apps and researchers found it in five separate apps masquerading as ‘Live Wallpaper Apps’ that had more than 100 of downloads each, according to a blog post published Thursday.

"These apps did fulfill their advertised purpose in that they provided live wallpaper apps, which vary in theme from anime girls to 'epic smoke' to attractive men," Meghan Kelly, a Lookout security communications manager, wrote in a company blog post. "However, without alerting you in the terms of service, BadLepricon enters into an infinite loop where -- every five seconds -- it checks the battery level, connectivity, and whether the phone's display was on."

DETECTING MOBILE MALWARE

So, if you found your mobile devices overheated harder than usual, then you may have malicious wallpaper installed in your Smartphones that could be secretly mining cryptocurrency without your knowledge, and once your device connects to the internet, the mining capabilities kick into action in the background.

Due to an increase in the value of digital coins, cyber criminals has added it in their watchlist and making every effort to steal your virtual money. As we know, coin mining is the key component for digital currencies and such malware does not steal data. Instead, they are capable of mining Bitcoin, Litecoin and Dogecoin using the victim's device.

Google expeditiously removed the malicious apps as soon as Lookout Mobile security firm reported it. This is not first time when an Android malware is targeting users’ Smartphones for mining crypto-currencies. Few weeks back researchers from the Antivirus firm Trend micro also spotted two such apps named - 'Songs' and 'Prized’ on Google play store that mined the Litecoin and Dogecoin cryptocurrencies without users’ knowledge, and was downloaded by more than one million users.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

A new piece of malicious malware infection targeting jailbroken Apple iOS devices in an attempt to steal users’ credentials, has been discovered by Reddit users.

The Reddit Jailbreak community discovered the malicious infection dubbed as ‘Unflod Baby Panda’, on some jailbroken Apple iOS devices on Thursday while a user noticed an unusual activity that the file was causing apps such as Snapchat and Google Hangouts to crash constantly on his jailbroken iPhone.

CHINA WANTS YOUR APPLE ID & PASSWORDS

Soon after the jailbroken developer uncovered the mysteries ‘Unfold.dylib’ file and found that the infection targets jailbroken iOS handsets to captures Apple IDs and passwords from Internet sessions that use Secure Socket Layer (SSL) to encrypt communications and is believed to be spreading through the Chinese iOS software sites, according to the researchers at German security firm SektionEins.

The researchers found that the captured login information is been sent to some server of the Internet Protocol (IP) address “23.88.10.4”, which is suspected to be controlled by the individuals in China, as the malware developer certificate is found digitally signed by the name Wang Xin.

"Currently the jailbreak community believes that deleting the Unfold.dylib binary and changing the apple-id's password afterwards is enough to recover from this attack. However it is still unknown how the dynamic library ends up on the device in the first place and therefore it is also unknown if it comes with additional malware gifts," the researchers wrote while inspecting the infection. "We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak," they added.

Immediately after the thread at the Reddit jailbreak community was started, several developers in the community warned the users to not touch the software, which they suspected was a malware. While the researchers noted that the manual removal of the malware infection is possible.

AFFECTED DEVICES

The iPhone owners using iPhone 5 and any other 32-bit jailbroken iOS device handset might be affected, who are advised to change their Apple ID password after the removal of the malicious software using the steps mentioned below.

However, the iPhone owners using latest 64-bit iOS devices such as iPhone 5S, iPad Air and iPad Mini Retina might not be affected by the malware.

HOW TO REMOVE MALWARE

Download the iFile app for free from Cydia and by using iFile, check whether your device is affected by the malicious software or not.

Navigate to /Library/MobileSubstrate/DynamicLibraries/

If you spot any files named Unflod.dylib or Unflod.plist and/or framework.dylib and framework.plist then you have been affected.

Use iFile to delete Unflod.dylib and Unflod.plist and/or framework.dylib and framework.plist

Reboot your device and then change your Apple ID password and security questions immediately and just to be on safe side, use two-step verification method and avoid installing apps from untrusted sources.

Yet, most iPhone users are not vulnerable to the malicious malware as the infection requires the user’s handset to be jailbroken in order to be installed in the victim’s device. Also the malware has not been spotted on any of the apps on the Apple iOS App Store , THANKS to Apple's tight control of the App Store approval process.

Samsung Galaxy S5 Fingerprint feature promises an extra layer of security for your smartphone, which also lets you make payments through PayPal. But does it really secure?

Just three days after the launch of the Galaxy S5, Security researchers have successfully managed to hack Galaxy S5 Fingerprint sensor using a similar method that was used to spoof the Touch ID sensor on the iPhone 5S last year.

FOOLING FINGERPRINT SENSOR

SRLabs researchers recently uploaded a YouTube video, demonstrated how they were able to bypass the fingerprint authentication mechanism to gain unauthorized access just by using a lifted fingerprint with wood-glue based dummy finger.

The S5 fingerprint scanner allows multiple incorrect attempts without requiring a password, so an attacker could potentially keep trying multiple spoofed fingerprints until the correct match.

PAYPAL USERS AT RISK
Samsung Galaxy S5 users can also transfer money to other PayPal users just by swiping their finger on the sensor, but this hack now allows hackers to access your PayPal account and linked bank accounts without ever having to enter a password.

In addition, If you restart your Apple’s iPhone 5S, it requires you to enter a passcode, before you can use your fingerprint as a way to unlock the phone, but Samsung has no such security method in place at this time.

No doubt, one need to have physical access of your device in order to exploit this flaw, so if your phone is stolen, a thief can access anything on your device.

Hack once again showed that unlocking a device with Fingerprint is convenient, but not secure that the passcode security.

Heartbleed – I think now it’s not a new name for you, as every informational website, Media and Security researchers are talking about probably the biggest Internet vulnerability in recent history. It is a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal.

After the story broke online, websites around the world flooded with the heartbleed articles, explaining how it works, how to protect, and exactly what it is. Yet many didn’t get it right. So based on the queries of Internet users, we answered some frequently asked questions about the bug.

1.) IS HEARTBLEED A VIRUS?

Absolutely NO, It's not a virus. As described in our previous article, The Heartbleed bug is a vulnerability resided in TLS heartbeat mechanism built into certain versions of the popular open source encryption standard OpenSSL, a popular version of the Transport Layer Security (TLS) protocol.

2.) HOW IT WORKS?

For SSL to work, your computer needs to communicate to the server via sending 'heartbeats' that keep informing the server that client (computer) is online (alive).

Heartbleed attack allows an attacker to retrieve a block of memory of the server up to 64kb in response directly from the vulnerable server via sending the malicious heartbeat and there is no limit on the number of attacks that can be performed. [Technically Explained by Rahul Sasi on Garage4hackers]

It opens doors for the cyber criminals to extract sensitive data directly from the server's memory without leaving any traces.

xkcd comic http://xkcd.com/1354/

3.) HEARTBLEED ATTACK RELIES ON MAN-IN-THE-MIDDLE ATTACK?

No, it has nothing to deal with a Man-in-the-Middle (MitM) attack. But using Heartbleed attack, one can manage to obtain the private encryption key for an SSL/TLS certificate and could set up a fake website that passes the security verification.

An attacker could also decrypt the traffic passing between a client and a server i.e. Perfect man-in-the-middle attack on HTTPS connection.

4.) IS IT A CLIENT SIDE OR SERVER SIDE VULNERABILITY?

TLS heartbeats can be sent by either side of a TLS connection, so it can be used to attack clients as well as servers. An Attacker can obtain up to 64K memory from the server or client as well that uses an OpenSSL implementation vulnerable to Heartbleed (CVE-2014-0160).

Researcher estimated two-thirds of the world's servers i.e. half a million servers are affected by the Heartbleed Bug, including websites, email, and instant messaging services.

Video Explanation:

5.) HOW HEARTBLEED AFFECTS SMARTPHONES?

Smartphone is the best practical example of Client side attacks.

All versions of Android OS include outdated versions of OpenSSL library, but only Android 4.1.1 Jelly Bean has the vulnerable heartbeat feature enabled by default. Blackberry also confirmed that some of its products are vulnerable to Heartbleed bug, whereas Apple's iOS devices are not affected by OpenSSL flaw.

Google had patched the affected version Android 4.1.1, but it will take long time to deliver updated Android version to the end Smartphone users as updates to majority handsets are controlled by phone manufacturers and wireless carriers. Until users running the affected versions are vulnerable to the attacks, and hackers will definitely take advantage of this public disclosure.

6.) WHAT ELSE COULD BE VULNERABLE TO HEARTBLEED?

IP phones, Routers, Medical devices, Smart TV sets, embedded devices and millions of other devices that rely on the OpenSSL to provide secure communications could also be vulnerable to Heartbleed bug, as it is not expected for these devices to get the updates soon from Google’s Android partners.

Yesterday, Industrial Control Systems-CERT also warned the critical infrastructure organizations (like energy, utilities or financial services companies) to beef-up their systems in order to defend against the Heartbleed attacks.

7.) WHO IS RESPONSIBLE FOR HEARTBLEED?

We actually can't blame anyone developer, specially who are contributing to Open Source projects without money motivations.

Dr. Robin Seggelmann, a 31-year-old German developer who actually introduced the Heartbeat concept to OpenSSL on New Year's Eve, 2011, says it was just a programming error in the code that unintentionally created the “Heartbleed” vulnerability.

"In one of the new features, unfortunately, I missed validating a variable containing a length", went undetected by the code reviewers and everyone else for over two years. He claimed 'I did so unintentionally'.

8.) WHO HAS EXPLOITED THIS BUG YET?

Bloomberg accused the National Security Agency (NSA) of knowing the Heartbleed bug for the last two years. Not even this, the report says the agency was using it continuously to gain information instead of disclosing it to the OpenSSL developers. But if it is so, then this would be one of the biggest developments in the history of wiretapping ever. However, the agency denied it saying NSA was not aware of Heartbleed until it was made public.

But when it comes to exploit any known vulnerability, then Hackers are most likely to be top on the list. As the flaw was so widely spread that it affected half a million websites worldwide, so after the public disclosure, the cybercriminals could reach the sites to steal credentials, passwords and other data, before the site operators apply the freely available patch.

There are multiple Proof-of-concept exploits available for the Heartbleed flaw:

Not exactly, as Heartbleed attack has the ability to leak anything from the server including your passwords, credit card details or any kind of personal information. But, in order to protect your online accounts you should at least change your passwords immediately for the sites that resolved the issue and for the sites not affected by the bug as well, just to make sure that you are safe.

First of all check if the sites you use every day on an individual basis are vulnerable to Heartbleed bug or not using following services or apps:, and if you're given a red flag, avoid the site for now.

The easiest way to keep you safe is to use a new add-on to the Chrome browser, Chromebleed, created by security researcher, Jamie Hoyle.

To check whether your Android devices are safe or not, you can install the Bluebox Heartbleed Scanner available on the Google Play Store. The Bluebox Heartbleed Scanner looks for apps installed on your device that have bundled their own version of OpenSSL and the scanner also checks the version of the library and whether heartbeat is enabled or not.

Well, nobody is sure at this point, because Heartbleed is stealthy as it leaves no traces behind and here the matter goes worse.

You may never know if you have been hacked using the flaw or not. This means that there is no way to tell if your information was stolen previously from a site or a service that has now fixed it.

But if you haven't change the password to the popular sites yet, then yes, your password and financial information are still widely open to cybercriminals and other spying agencies.

10.) WHAT SHOULD I DO TO PROTECT MYSELF?

First of all DON'T PANIC. You have to change your password everywhere, assuming that it was all vulnerable before, just to make sure that you are now safe. But hold on... If some sites are still affected by the flaw then your every effort is useless, as it’s up to the site to first fix the vulnerability as soon as possible , because changing the password before the bug is fixed could compromise your new password as well.

Don't reuse any old passwords and it is good practice to use two-factor authentication, which means with the password, the account requires a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites.

Beware! Hackers can cause Traffic jams with just a navigation Smartphone application. Two Israeli students were assigned by college to hack Google-owned Waze GPS app, an Israeli-made Smartphone app that provides directions and alerts drivers to traffic and accidents.

Shir Yadid and Meital Ben-Sinai, fourth-year students at Technion-Israel Institute of Technology, with the help of two advisers created a virtual program that successfully caused the popular navigation application Waze to report fake traffic jams, Haaretz reported.

They successfully launched a demo cyber attack against the popular navigation app, with no evil intention to cause any damage to the app, instead it was a simple assignment handed over to these students to demonstrate up to what a malicious hacker could do by creating a fake traffic jam on any popular app, like Waze that provides real-time traffic updates and notifications to users on the road.

HOW TO JAM TRAFFIC?

To carry out their project, the students created and used a virtual program that enacted Smartphones and registered thousands of fake Waze users with false GPS coordinates. Then this army of fake users crowdsourced false road conditions to the app claiming to be stuck in traffic jam at the false GPS coordinates, potentially causing scramble.

Doctoral student Nimrod Partush came up with an idea a year back after being stuck in a traffic jam with Professor Eran Yahav, who is one of the advisors of this project.

"I told Eran that had we made Waze inform drivers about a traffic jam on the Coastal Highway before we set out, the application would have diverted drivers to Route 4, and we could have driven to Tel Aviv along the Coastal Highway with no traffic jams," said Partush, in an interview with Haaretz.

The smartness of the white hat hackers, despite redirecting users, the hack didn’t affect the infrastructure or traffic lights, like an accident. Instead, it took benefit of a popular navigation app and fooled users.

The students and their advisors, in the white hat style, informed Waze of the attack and submitted the demonstration report to help them improve their app and prevent similar hacks in the future.

Waze navigation app for Smartphones is widely used in Israel and was so popular that last summer Google bought it for $1 billion.

Hardly two month ago we reported about the first widely spread Android Bootkit malware, dubbed as 'Oldboot.A', which infected more than 500,000 Smartphone users worldwide with Android operating system in last eight months, especially in China.

Oldboot is a piece of Android malware that's designed to re-infect Mobile devices even after a thorough cleanup. It resides in the memory of infected devices; It modify the devices’ boot partition and booting script file to launch system service and extract malicious application during the early stage of system’s booting.

Yet another alarming report about Oldboot malware has been released by the Chinese Security Researchers from '360 Mobile Security'. They have discovered a new variant of the Oldboot family, dubbed as 'Oldboot.B', designed exactly as Oldboot.A, but new variant has advance stealth techniques. Especially, the defense against with antivirus software, malware analyzer, and automatic analysis tools. "The Oldboot Trojan family is the most significant demonstration of this trend." researchers said.

Oldboot.B, Android Bootkit malware has following abilities:

It can install malicious apps silently in the background.

It can inject malicious modules into system process.

Prevent malware apps from uninstalling.

Oldboot.B can modify the browser's homepage.

It has ability to uninstall or disable installed Mobile Antivirus softwares.

INFECTION & INSTALLING MORE MALWARE APPS

Once an Android device is infected by Oldboot.B trojan, it will listen to the socket continuously and receive and execute commands received from the attacker's command-and-control server.

Malware has some hidden ELF binaries, that includes steganographically encrypted strings, executable codes and configuration file downloaded from C&C server, located at az.o65.org (IP is 61.160.248.67).

After installation, Oldboot Trojan install lots of other malicious android applications or games in the infected device, which are not manually installed by the user.

MALWARE ARCHITECTURE

Oldboot.B architecture includes four major Components, those automatically executes during the system startup by registering itself as a service in the init.rc script:

1) boot_tst - uses remote injection technique to inject an SO file and a JAR file to the 'system_server' process of the Android system, continuously listen to the socket, and execute commands sent.

2) adb_server - replaces pm script of Android system with itself and used for anti-uninstallation functionality.

3) meta_chk - update the configuration file, download and install Android Apps promoted in the background. The Configuration file is encrypted, that greatly increases the time required to analyze.

To evade detection, meta_chk destroys itself from the file system, and left with only the injected process. Android Antivirus software does not support the process memory scan in the Android platform, so they cannot detect or delete the Oldboot Trojan which resides in the memory.

4) agentsysline - module written in C++ programming language, run as a daemon in the background to receive commands from command-and-control server. This component can uninstall anti-virus software, delete the specific files and enable or disable network connection etc.

PROBLEMS FOR SECURITY RESEARCHERS

To increase the problem of malware analyzers:

It add some meaningless code and trigger some behavior randomly.

Check for SIM card availability in the device, and it will not perform certain behavior if there is no SIM card to fool sandbox or emulators.

Check for the existence of antivirus software, and may uninstall the anti-virus software before doing anything malicious.

Malware uses the steganography techniques to hide its configuration file into images:

"But after some analysis, we found that the configuration of meta_chk is hidden in this picture, which contains the command will be executed by meta_chk and other information." researchers said. The size of this configuration file is 12,508 bytes.

"Depending on the commands sent from the C&C server, it can do many different things, such as sending fake SMS messages or phishing attacks, and so on. Driven by profit, the Oldboot Trojan family changes very fast to react to any situation."

Oldboot.B is one of the most advanced Android malware that is very difficult to remove, but antivirus firm 360 Mobile Security also released Oldboot detection and removing tool for free, you can download it from their website.

To avoid infection, Smartphones users should only install apps from trusted stores; make sure the Android system setting 'Unknown sources' is unchecked to prevent dropped or drive-by-download app installs; don't use untrusted custom ROMs and install a mobile security app.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

The use of unmanned aerial vehicles (UAVS) called Drones is rapidly transforming the way we go to war. Drones were once used for land surveillance, Delivering Pizza's, then equipped with bombs that changed the way nations conduct war and now these hovering drones are ready to hack your Smartphones.

London-based Sensepoint security researchers have developed a drone called 'Snoopy' that can intercept data from your Smartphones using spoofed wireless networks, CNN Money reported.

The Drone will search for WiFi enabled devices and then using its built-in technology, it will see what networks the phones have accessed in the past and pretends to be one of those old network connections.

Spoofing WiFi networks that device has already accessed allows Snoopy Drone to connect with targeted Smartphone without authentication or interaction. In technical terms, The Drone will use 'Wireless Evil Twin Attack' to hack Smartphones.

Snoopy is self-powered and extremely mobile and researchers have successfully stolen Amazon, PayPal, and Yahoo credentials while testing it out in the skies of London.

The collection of metadata, including Wireless Network Names and Device IDs is not illegal, but intercepting personal data would likely violate wiretapping and identity theft laws.

If the technology got in the hands of criminals, there are all kinds of things they could do. Researchers said they have no malicious intent in developing Snoopy Drone, they are demonstrating the technology to highlight how vulnerable Smartphone users can be.

WiFi hacking is very simple to execute and are becoming far more common these days. If you are concerned about such attacks, just turn off that automatic WiFi network-finding feature.

Google’s Android operating system may be open source, but the version of Android that runs on most phones, tablets, and other devices includes proprietary, closed-source components.

Phone makers, including Samsung ships its Smartphones with a modified version of Android, with some pre-installed proprietary software and because of lack in independent code review of those closed-source apps, it is complex to authenticate its integrity and to identify the existence of backdoors.

Paul Kocialkowski, the developers of the Replicant OS has uncovered a backdoor pre-installed on Samsung Galaxy devices and the Nexus S, that provides remote access to all the data in the device.

Replicant OS is an open source operating system based on the Android mobile platform, which aims to replace all proprietary Android components with their free software counterparts.

In a blog post, He explained that Samrtphones come with two separate processors, one for general-purpose applications processor that runs Android OS and the other one known as the Modem, responsible for communications with the mobile telephony network.

The Researcher found that a Samsung's IPC protocol runs in the background, which is bound to the communications processor, and allows the modem to remotely read, write, and delete files on the user's phone storage. Samsung IPC protocol, implements a class of requests, known as RFS commands, that allows the modem to perform remote I/O operations on the phone’s storage.

"The spying can involve activating the device's microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone. Moreover, modems are connected most of the time to the operator's network, making the backdoor nearly always accessible."

This backdoor might have been placed there accidently, but remote ability of modifications to the user’s personal data without user knowledge poses a serious threat.

"It is possible to build a device that isolates the modem from the rest of the phone, so it can't mess with the main processor or access other components such as the camera or the GPS."

"The incriminated RFS messages of the Samsung IPC protocol were not found to have any particular legitimacy nor relevant use-case. However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a backdoor." he said.

"However, some RFS messages of the Samsung IPC protocol are legitimate (IPC_RFS_NV_READ_ITEM and IPC_RFS_NV_WRITE_ITEM) as they target a very precise file, known as the modem's NV data." he added.

Smartphones are always ready to connect to the Internet and contains sensitive information such as Contacts, SMS, Photos, and GPS information and this sensitive information is always in danger of leakage.

According to a report, Cyber criminals and state-sponsored hackers are developing 55,000 new malware variants, each and every day; and many of them try to elevate privileges for unfettered control of the user device.

North Carolina State University Researchers have developed a new software, called Practical Root Exploit Containment (PREC), with the sole purpose of detecting mobile malware that attempts to run Root exploits in Android devices. Root exploits take control of system administration functions of the operating system that gives the hacker an unrestricted control of user’s Smartphone.

That means, an application has not permission to read your messages or contacts or the GPS location, but after getting root access it will be able to steal any data from your device.

Anomaly Detection is one of the existing detection technique that compares the behavior of a downloaded Smartphone application, such as Google Chrome, with a database of how the application should be expected to behave. "When deviations from normal behavior are detected, PREC analyses them to determine if they are malware or harmless 'false positives.' "

PREC tool used the refined techniques of Anomaly Detection to prevent it from giving false positives, "Anomaly detection isn't new, and it has a problematic history of reporting a lot of false positives," said Dr Will Enck, co-author of the research paper.

PREC targets the code written in C language which is usually used by hackers to create malware and can identify calls made to native C code from a Java program.

The researchers tested a prototype of the tool on the Google Galaxy Nexus device against 150 Android apps, of which 10 contained root exploits. “We can achieve 100 percent detection rate and raised false alarms in one out of 140 popular apps tested,” he said.

Malware writers have developed techniques that hide malware until the application is installed on the Smartphone but thanks to Google, most apps in the Android Play store are pretty clean, but the best protection is common sense; Ensure you only Install Apps from Trusted Sources.

Snapchat, a Smartphone application that lets users share snapshots with friends is catching fire among teenagers. It was first hacked in December when 4.6 million Snapchat users were exposed in a database breach.

Later, the denial-of-service attack and CAPTCHA Security bypass were discovered by other researchers within last two-three weeks. Snapchat has no Vulnerability Reward Program, but still many penetration testers are working hard and free of cost to make the application more secure by disclosing flaws.

Interestingly, this is not the end of vulnerabilities, Mohamed Ramadan, a security researcher with Attack-Secure from Egypt, has spotted a new vulnerability on Snapchat that allow an attacker to brute-force login credentials of the users. Brute-force is a process of trying multiple passwords against a username until you get a correct password.

"This vulnerability allows anyone who knows your SnapChat email to brute force your account’s password without any protection from snapchat side, there is no lockout. Limited tries or even Captcha." he said in a blog post.

Video Demonstration:

He found this security flaw late in 2013, reported it to Snapchat's Security Team and they took 2 Months to fix the flaw. However, vulnerability has been fixed; but users are recommended to use Strong passwords always.

The security flaws doesn't mean that SnapChat is losing its reputation in the market as security issues are common in every app we use today, and moreover it is the popularity and easiness of the app that Facebook offered $3 Billion to purchase it but the SnapChat CEO rejected the offer.

Smartphone manufacturers are adding ways for owners to track and manage their phones if they ever get lost or stolen. Find My iPhone is a service that comes with every iOS device that allows you to track your iPhone, whether it was lost or stolen.

Normally, the iPhone requires a password if you want to deactivate “Find My iPhone”, but it isn’t entirely perfect and thieves are now smart enough to disable 'Find My iPhone' on devices running iOS 7.0.4 and lower version, without having to enter a password.

The exploit was discovered and demonstrated security researcher 'Bradley Williams' and performing a successful bypass means you won’t be able to locate, make sound and wipe out.

The vulnerability could put the devices at risk, and the exploitation method involves a few simple steps that involve making changes in the iCloud settings, even if they don’t know the password.

Steps to hack 'Find My iPhone':

Navigate to iCloud in the settings.

Select your account.

Change the password to an incorrect one, then taps Done.

When display 'wrong password' warning, Tap OK and then tap Cancel.

Reselect your account.

Empty the description field and then press Done.

You will notice Find My iPhone is now toggled off.

The exploitation also requires physical access to the device, and then only works if the user hasn't set a passcode or enabled the iPhone 5S fingerprint-based Touch ID system and hackers are not able to reproduce it iOS 7.1 beta version, that means the flaw will be fixed in the next iOS update, which is expected to hit the devices in March.

Users are recommended to activate Apple’s device Lock system, which blocks a thief from erasing and re-activating a stolen phone unless they enter your Apple ID and password.

In the era of Smartphones, Apple’s iPhone is the most popular device that exists, which itself gives the reason to target it.

According to leaked documents shared by Security researcher Jacob Appelbaum, a secret NSA program code named DROPOUTJEEP has nearly total access to the Apple’s iPhones, which uses “modular mission applications to provide specific SIGINT functionality.”

While giving the presentation at the Chaos Communications Congress (30C3) in Hamburg, Germany on Monday, Appelbaum revealed that NSA reportedly sniffing out every last bit of data from your iPhone.

DROPOUTJEEP is a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.

The program is capable to gather information from the phone, to both send and receive files from the exploited devices as well as gain access to the devices’ contact lists, text messages and more.

'The NSA claims that anytime they target an iOS device, it will succeed, So either they have a huge collection of exploits against Apple products, meaning they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves.' he said.

NSA can also remotely enable the iPhone’s camera and microphone, but the method of installation is not entirely clear. The spyware tool was reportedly developed in 2008 to target the first iPhones.

On Tuesday Apple denied the allegations and says it played no role in the National Security Agency's efforts to hack the iPhone. The following statement released:

Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers' privacy and security. Our team is continually working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements. Whenever we hear about attempts to undermine Apple's industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who's behind them.

Firefox OS is a mobile operating system based on Linux and Mozilla’s Gecko technology, whose environment is dedicated to apps created with just HTML, CSS, and JavaScript.

After almost two years of development, a few months back Mozilla officially launched their Firefox OS devices in stores and now the first Malware for the brand new platform is available.

Shantanu Gawde, 17-years-old, an Independent Security Researcher is going to demonstrate the very first known malware for Firefox OS at the upcoming Information Security Summit - The Ground Zero (G0S) 2013, to be held on November 7th - 10th, 2013 at The Ashok, New Delhi.

Firefox OS is different - Every app in Firefox OS including the Camera and the Dialer is a web app, i.e. a website in the form of an app. Simple! Mozilla has developed Web APIs so that HTML5 apps can communicate with the device’s hardware and Shantanu has used the same APIs intentionally to exploit the device for malicious purpose.

Basically, there are two types of Firefox OS apps: packaged and hosted. Packed apps are essentially a zip file containing all of of an apps assets: HTML, CSS, JavaScript, images, manifest, etc.

Hosted apps are just a website is the application, means you can host the app on a publicly accessible Web server, just like any other website.His demonstration will showcase the malware app developed by him using just HTML, CSS, and JavaScript, and capability to perform many malicious tasks remotely on the device i.e. Accessing SD Card Data, Stealing Contacts, downloading-uploading Files on device, Tracking Geological location of the user etc.

"The purpose of the PoC is of course to motivate developers to ensure better security on their platforms rather than providing inspiration to those with malicious intents." he told 'The Hacker News'.

The rapid growth and evolution of mobile malware is swiftly becoming a highly profitable business for cybercriminals. According to the third annual Mobile Threats Report from Juniper Networks, mobile malware threats have grown a huge 614% in the period March 2012 to March 2013.

With mobile malware on the rise and attackers becoming increasingly clever and they are also targeting every possible new platform. Make sure you will be at Ground Zero this year to see live threat to one of the prominent upcoming mobile operating systems.

Update : A Mozilla spokesperson provided the following statement: "We are aware of plans to demonstrate a malware app able to perform malicious tasks on the Firefox OS phone. Such attacks usually rely on developer mode functionality, which is common to most Smartphones but disabled by default. In addition, we believe this demonstration requires the phone to be physically connected to a computer controlled by the attacker, and unlocked by the user."

Researchers at the University of Alabama at Birmingham (UAB) presented the research that it is possible to trigger malware hidden in mobile devices using music, lighting, or vibration.

In a research paper titled “Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices”, the researchers reported that they triggered malware hidden in mobile devices using music from 17 meters away in a crowded hallway.

Malware once activated would carry out programmed attacks either by itself or as part of a wider botnet of mobile devices. Presenting their findings at a conference earlier this month, the researchers explained how sensors in ubiquitous mobile devices have opened the door to a new generation of mobile malware that unsuspecting users unwittingly downloaded onto their devices.

Since the trigger needs to be relatively close to the smartphone to active any hidden malware, any threats would be limited to the local environment. “We showed that these sensory channels can be used to send short messages that may eventually be used to trigger a mass-signal attack,”

The researchers found that cameras and microphones were the most effective way to trigger malware, but also noted that a heavy bass pattern could trigger the vibration sensor. They were also successful, at various distances, using music videos; lighting from a television, computer monitor and overhead bulbs; vibrations from a sub woofer; and magnetic fields.

As a possible defense, they suggested that anti-malware software should scan sensor data for signs of any hacks. "We need to create defenses before these attacks become widespread, so it is better that we find out these techniques first and stay one step ahead,".

More than 50 millions of Smartphone users worldwide are facing a risk posed by a critical flaw in Viber app. The security company Bkav announced that it has found a way to gain full access to Android phones using the popular Viber messaging app.

Unlike the Samsung lockscreen issue we reported on earlier, this attack doesn't take any fancy finger work. Instead, all it needs is two phones, both running Viber, and a phone number.

"The way Viber handles to popup its messages on smartphones' lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear," said Mr. Nguyen Minh Duc, Director of Bkav's Security Division.

Steps to exploit:

Send Viber message to victim

Combine actions on Viber message popups with tricks like using victim's notification bar, sending other Viber messages, etc. to make Viber keyboard appear

As the above videos demonstrate, the latest vulnerability affects a variety of handsets as long as they have Viber installed. People rely on their smartphones to keep their e-mails, contacts, and other sensitive information, so Company plan to release a fix the issue next week.

It appears as if another malware scare has come to Android. Lookout Security said on Friday that it has discovered a new family of malware called BadNews. Malware that avoided detection and made its way onto the Google Play store has been downloaded around 9 million times by users from all over the world.

The company uncovered the malware in 32 applications listed by four different developer accounts on Google Play. Google was notified and the company removed the affected apps and killed the developer accounts associated with them.

In their report, firm describes the malware: "BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we've seen a malicious distribution network clearly posing as an ad network. Because it's challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app security. Badnews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server. BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps."

LookOut published the full list of known affected apps, with over half of them targeted at Russian users:

BadNews apps were also noted as using those fake news messages to promote affiliated apps and also push other types of monetization malware. One of the apps being pushed was AlphaSMS which is a premium rate SMS app.

Lookout has identified three control and command servers in Russia, Ukraine and Germany. All C&C servers are still currently live, but Lookout is working hard to bring them down as quickly as possible.

To be safe make sure the Android system setting ‘unknown sources’ is unchecked to prevent any dropped or drive-by-download app installs. Also, download a mobile security app that protects against malware and other virus threats.

After a series of security issues, it appears that Apple still has not been able to resolve all the issue in iOS. Last week, Apple rolled out its iOS 6.1.2 update to owners of the iPhone, iPad and iPod touch in an effort to fixing the 3G connectivity and an Exchange calendar bugs.

Hackers found an iOS 6 bug two weeks ago that allowed thieves into your phone, but only the Phone app and the features contained within could be accessed. Just after that, recently another screen lock bypass vulnerability reported in iOS 6.1 by Vulnerability Lab.

This vulnerability allows users to bypass the lock screen pass code and access the phones photos and contacts. Researchers say the vulnerable device can be plugged into a computer via USB and access data like voice mails, pictures, contacts, etc.

This particular vulnerability was shared in detail over in a YouTube video for the masses, you can see the video tutorial as shown below:

Steps to Follow:

Connect your device with itunes and the appstore to make sure the code lock is activated

Push the power button (top|right)

The mobile will be activated and the iOS code lock will be visible

Now, you click on the emergency call

Try to dail any random emergency call number from a public listing (we used 911, 110 and 112)

Call the number and cancel the call directly after the dail without a direct connection to the number

Push again the power button and push after it the iphone button (square) in the middle

In the next step you push the power button 3 secounds and in the third secound you push also with one finger the

square and with another the emergency call button

After pushing all 3 buttons you turn your finger of the square (middle) button and after it of the power button

The display of the iOS will be black (blackscreen)

Take our your usb plug and connect it with the iOS device in black screen mode

All files like photos, contacts and co. will be available directly from the device harddrive without the pin to access.

Note : There is a limitation in this method also, that is actually not mentioned by hackers. The file system of iOS is in encrypted form. So, when your pass code protected iPhone is connected to a new computer, it must first be unlocked before it can be accessed by the computer. Smooth way connectivity is only possible only if the computer used to gain access to your file system has been successfully connected to your iPhone before.

It's not clear if the company is aware of this second flaw or if a fix for it is also inbound.